CCTV POLICY

Hoey’s DIY

CCTV Data Protection Policy

 

Version Control

Name of Document

CCTV Data Protection Policy

Last Reviewed

 Jan 2024

Version Number

V1

Next Review

 

Date Issued

 

Document Owner

K Matthews

 

  1. Introduction

The purpose of this policy is to set out the reasons we have implemented CCTV and how we manage it. This includes our obligations when dealing with personal data, to ensure that we comply with the requirements of the GDPR and the relevant legislation, namely the Data Protection Acts.

 

We will ensure that CCTV systems, where installed, are operated only in a way that is compatible with the provisions of this policy.

 

  1. Scope

This policy relates to the location and use of CCTV and the monitoring, recording and subsequent use of such recorded material. This policy applies to all CCTV images and recordings in relation to Hoey’s DIY’s data subjects captured both internally and externally. Recognisable images captured by CCTV systems are ‘personal data’ and are therefore subject to the provisions of the GDPR and the Data Protection Acts.

 

  1. Purpose

We use CCTV systems and associated monitoring and recording equipment as an added mode of security and surveillance for the purpose of enhancing the safety and security and specifically for the following purposes:

 

  • Health & Safety: As responsible employers we have a duty of care to our employees under the provisions of the Safety, Health and Welfare at Work Acts and associated legislation.
  • Crime Prevention: Our objective is to deter crime and vandalism.
  • Security: We have a responsibility to protect the organisations property and equipment as well as providing a safe environment for data subjects (employees, customers, visitors) while they are on our premises.
  • Incident Investigations: We will not use CCTV facilities to actively monitor employee conduct in the performance of day-to-day duties and will not proactively use CCTV to identify conduct that may give rise to disciplinary action. However, staff are advised that in the event of disciplinary or other investigative action being conducted, CCTV footage may be sought and used where it can assist in the process. This means that the Hoey’s DIY and/or individual staff members may request access to CCTV footage if it is believed it may be relevant and/or assist with any investigation or disciplinary process.

 

  1. Controller / Processor Status

 

4.1 Data Controller

Hoey’s DIY, whose registered address is Station Road, Castlebellingham, Dundalk, Co Louth, A91 R802, is the company that controls and is responsible for the personal data collected.

 

4.2 Data Processor

We rely on the expertise of a third-party, Advanced Digital Security Ireland, to both manage and maintain our CCTV system. We ensure that they comply with the guidelines set out in this policy and the terms defined in a Data Processing Agreement. As a data processor Advanced Digital Security Ireland is legally obliged to have appropriate security measures in place to prevent unauthorised access to or unauthorised alteration, disclosure or destruction of the data. This includes having appropriate access controls and security procedures in place and to ensure employees are aware of their obligations relating to the security of data.

 

  1. Data We Collect

Our CCTV captures footage of:

 

  • Customers
  • Visitors
  • Employees
  • Suppliers
  • Business Contacts

 

  1. Lawful Basis
  • In line with Article 6(1)f processing is necessary for the purposes of the legitimate interests pursued by the controller. That is to protect our organisation and its assets, maintain the safety of persons who attend our office, prevent crime and for investigation purposes as outlined above.

 

  1. General Principles
  • Necessity: The GDPR states that processing of personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We have undertaken the appropriate investigations to ensure that CCTV is necessary to achieve our goals.
  • Proportionality: Our use of CCTV is justified for the purposes set out in this policy. CCTV will be conducted in a professional, ethical and legal manner and any use of CCTV technologies for other purposes is prohibited by this policy. CCTV monitoring of public areas for security purposes will be conducted in a manner consistent with all existing policies adopted by Hoey’s DIY to be compliant with all related legislation. CCTV monitoring of public areas for security purposes is limited to uses that do not violate the individual’s reasonable expectation to privacy.
  • Security: CCTV recordings are kept safe and secure. See section 8 below.
  • Retention: Footage captured by CCTV will be retained for a maximum of 21 days, except where the image identifies an issue and is retained specifically in the context of an investigation/prosecution of that issue.Transparency: Adequate signage is displayed to indicate that CCTV is in operation. Signage is displayed at the entrance to the premises and at various points throughout the building. The signage includes name and contact details of the data controller (Hoey’s DIY), the purpose of CCTV and a camera symbol. Refer to appendix 3 for sample CCTV signage. Interested parties can contact us to obtain a copy of this policy.

 

  1. Security Arrangements

Access to the CCTV system and stored images are restricted to authorised personnel only. Recorded footage is saved on hard drive and the monitoring equipment is securely stored in a locked office. Unauthorised access to that area is not permitted at any time. The area is locked when not occupied by authorised personnel. A log of access to recordings is maintained and similar measures are employed when using disk storage, with automatic logs of access to the images created.

 

 

 

Camera Locations

 

Trade Counter Left

Shop Aisle

Shed 3 Entrance

Facing Cutting Office

Trade Counter Right

Shop Aisle

Clothing Section Shop

Workshop Entrance

Cash Desk

Shop Aisle

Shed Two Entrance

Worktop Storage Entrance

Front Door

Front of Shop Left

Shed Two facing yard

Clothing Section Shop

Shop Aisle

Front of Shop Right

Facing Entrance Gare

Cutting Office

Cutting Office

Workshop

 

 

 

 

 

  1. Covert Surveillance

Covert surveillance will only be used in exceptional circumstances and with the prior engagement of An Garda Siochana for potential criminal investigation or civil legal proceedings arising as a consequence of an alleged committal of a criminal offence.

 

  1. Disclosure To Third Parties

Access is strictly limited to authorised personnel only and selected third parties only:

 

  • Service/Maintenance: From time to time, we may require the expertise of third-party CCTV professionals to service and maintain the system (Advanced Digital Security Ireland). The CCTV system is serviced annually. Such service providers are bound to comply with our data protection standards through a Data Processing Agreement.
  • CCTV Professionals: We may require additional expertise if a subject access request warrants the blurring of third-party images. Such service providers are bound to comply with our data protection standards through a Data Processing Agreement.
  • An Garda Siochana may request access to CCTV footage to investigate a criminal matter. The Data Protection Commission recommends that requests for copies of CCTV footage should only be acceded to where a formal written (or fax) request is provided to the data controller stating that An Garda Síochána is investigating a criminal matter. For practical purposes, and to expedite a request speedily in urgent situations, a verbal request may be sufficient to allow for the release of the footage sought. However, any such verbal request must be followed up with a formal written request. It is recommended that a log of all An Garda Síochána requests is maintained by data controllers and processors. There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective.
  • Legal Advisors: We may need to share footage and images with legal advisors in the event of a legal dispute.

 

  1. Responsibility

Authorising the use of and supervising access and maintenance of the CCTV System is the responsibility of the Managing Director. The Managing Director may delegate the day-to-day administration of the CCTV System to a staff member.

 

The person responsible for data protection is charged with overseeing the release of CCTV data on foot of subject access requests or Garda requests.

 

  1. Transfers Outside of the EEA

Hoey’s DIY generally do not transfer CCTV data outside of the EU/EEA.

 

In cases where CCTV data needs to be transferred or processed outside of the EU/EEA, Hoey’s DIY choose providers who process data on the basis of:

 

  • Standard Contract Clauses
  • An Adequacy Decision from the European Commission
  • EU-US Privacy Framework
  • Consent by the Data Subject to transfer the data

 

  1. Data Subjects Rights

A data subject has various rights under data protection law, subject to certain exemptions, in connection with the processing of personal data. The following rights apply to CCTV:

 

  • Right to access the data – to request a copy of the personal data that, together with other information about the processing of that personal data (Subject Access Request). Requests will be processed free of charge and within one month of receipt (unless in exceptional circumstances).
  • Right to erasure – to request the deletion of personal data.
  • Right to restriction of processing or to object to processing – to request that personal data be no longer processed for particular purposes, or to object to processing of personal data for particular purposes.

 

In order to exercise any of the above rights, please contact Hoey’s DIY (see contact details in Appendix 1). Please note, in line with our obligations to protect personal data, some requests may require validation (e.g., proof of ID etc).

 

  1. Questions and Complaints

Questions and complaints in connection to our use of CCTV can be forwarded to the person responsible for data protection (See details in Appendix 1).

 

As a data subject you also have the right to lodge a complaint with the Data Protection Commission if you are unhappy with our processing of your personal data. Details of how to lodge a complaint can be found on (www.dataprotection.ie), tel 1890 252 231.

 

We would, however, appreciate the chance to deal with your concerns before you approach the Data Protection Commission, so please contact us in the first instance.

 

  1. Document Reviews

This policy will be reviewed and updated annually or more frequently, if necessary, to ensure that any changes are properly reflected in the policy.

 

 

 

 

 

 

 

 

 

 

 

 

Document History

 

Date

Current Version

Details of update

New Version

Completed by:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix 1: Data Protection Contact Details

Name

Karen Matthews

Email

karen@hoeysdiy.ie

 

 


 

Appendix 2 Definitions

 

For the avoidance of doubt, and for consistency in terminology, the following definitions will apply within this Policy.

Data

This includes both automated and manual data.

Automated data means data held on computer or stored with the intention that it is processed on computer.

Manual data means data that is processed as part of a relevant filing system, or which is stored with the intention that it forms part of a relevant filing system.

Personal Data

Information which relates to a living individual, who can be identified either directly from that data, or indirectly in conjunction with other data which is likely to come into the legitimate possession of the Data Controller.

Data Controller

A person or entity who, either alone or with others, controls the content and use of Personal Data by determining the purposes and means by which that Personal Data is processed.

Data Subject

A living individual who is the subject of the Personal Data, i.e. to whom the data relates either directly or indirectly.

Data Processor

A person or entity who processes Personal Data on behalf of a Data Controller on the basis of a formal, written contract, but who is not an employee of the Data Controller, processing such Data in the course of his/her employment.

Employee

A living individual with whom Hoey’s DIY has an employment relationship, regardless of whether this relationship is based on an employment contract. This includes all current and former employees who are or have been paid through the company payroll whether permanent, temporary, full time or fixed term, as well as agency workers and contractors who have data processed.

Relevant Filing System

Any set of information in relation to living individuals which is not processed by means of equipment operating automatically (computers), and that is structured, either by reference to individuals, or by reference to criteria relating to individuals, in such a manner that specific information relating to an individual is readily retrievable.

CCTV

Closed-circuit television is the use of video cameras to transmit a signal to a specific place on a limited set of monitors.  The images may then be recorded on USB or other digital recording mechanism.

Data Protection Manager

A person appointed by Hoey’s DIY to monitor compliance with the appropriate Data Protection legislation, to deal with Subject Access Requests, and to respond to Data Protection queries from colleagues and customers.